CN115622803B - Authority control system and method based on protocol analysis - Google Patents

Authority control system and method based on protocol analysis Download PDF

Info

Publication number
CN115622803B
CN115622803B CN202211536906.6A CN202211536906A CN115622803B CN 115622803 B CN115622803 B CN 115622803B CN 202211536906 A CN202211536906 A CN 202211536906A CN 115622803 B CN115622803 B CN 115622803B
Authority
CN
China
Prior art keywords
request
field information
module
client
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211536906.6A
Other languages
Chinese (zh)
Other versions
CN115622803A (en
Inventor
朱燚
庄恩贵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingan Yun Xin Technology Co ltd
Original Assignee
Beijing Jingan Yun Xin Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingan Yun Xin Technology Co ltd filed Critical Beijing Jingan Yun Xin Technology Co ltd
Priority to CN202211536906.6A priority Critical patent/CN115622803B/en
Publication of CN115622803A publication Critical patent/CN115622803A/en
Application granted granted Critical
Publication of CN115622803B publication Critical patent/CN115622803B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/146Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to the field of authority control, in particular to an authority control system and method based on protocol analysis, wherein the system comprises: a receiving module receives an access request message of a client and divides the access request message; the analysis module performs target keyword matching on the field information in the request line and the request header according to a preset keyword library, marks field information failed in matching, and generates target request data from a request text; the determining module compares the number of the marked field information with a preset number to determine a strategy query result; the execution module executes the strategy according to the strategy inquiry result; the response module receives the request resource constructed by the target server, generates a response message from the request resource and sends the response message to the client for response. The access request is comprehensively analyzed, and the access request is received and analyzed before reaching the target server to determine a corresponding strategy, so that the authority control of the client is more accurate.

Description

Authority control system and method based on protocol analysis
Technical Field
The invention relates to the field of authority control, in particular to an authority control system and method based on protocol analysis.
Background
With the rapid development of the internet field, the data volume which can be obtained by a user is increased explosively, but the data is unsafe, so that in order to protect the safety of the data, a safety rule or a safety strategy is set through authority management, and the user can only access the authorized data.
Chinese patent publication no: CN115037551A discloses a connection authority control method, which includes: responding to an access request aiming at a container cluster sent by a client, and acquiring an Internet protocol address of the client before establishing connection with a background system of the container cluster; calling a pre-loaded address writing module to write the internet protocol address into a target protocol layer address option; adding an address access strategy corresponding to the Internet protocol address in the target protocol layer address option; under the condition that the address access strategy is an access permission strategy, calling a preset tracking plug-in to track the Internet protocol address to obtain a target container in the container cluster accessed by the client and interactive data information between the client and the target container; and controlling the connection authority between the client and the container cluster according to the interactive data information and a preset flow control rule.
In the prior art, an address access strategy corresponding to an internet protocol address is confirmed according to the internet protocol address when an access request is sent by a client, and because the authority control is mainly on the level of whether connection access is allowed or not and is limited to analyzing and tracking the IP address of the client to determine the access strategy, the authority control is inaccurate.
Disclosure of Invention
Therefore, the invention provides an authority control system and method based on protocol analysis, which can solve the problem of inaccurate authority control.
In order to achieve the above object, an aspect of the present invention provides a system for controlling authority based on protocol analysis, the system including:
the receiving module is used for receiving an access request message of a client and dividing the access request message into a request line, a request head and a request text;
the analysis module is connected with the receiving module and is used for respectively carrying out target keyword matching on the method field information, the URL field information, the HTTP protocol version field information and a plurality of request head field information in the request line according to a preset keyword library, marking the method field information, the URL field information, the HTTP protocol version field information or the plurality of request head field information which are failed in matching, judging whether the request text is empty to obtain the request data in the request text to generate target request data, and generating the target request data according to the URL field information or the request data in the request head when the request text is empty;
the determining module is connected with the analyzing module and used for comparing the number of the marked field information with a preset number so as to determine a strategy inquiry result, and the strategy inquiry result comprises prohibition, pass or authentication;
the execution module is connected with the determination module and used for executing the strategy according to the strategy inquiry result, sending the forbidden or authenticated strategy inquiry result to the corresponding client so as to forbid the client to access the corresponding target server or authenticate the client, and sending the passed strategy inquiry result to the corresponding target server;
and the response module is connected with the execution module and used for receiving the request resource constructed by the target server by searching the target request data according to the target request data, generating a response message from the request resource and sending the response message to the corresponding client for responding.
Further, when the analysis module matches the target keyword of the request line according to a preset keyword library, identifying method field information, URL field information and HTTP protocol version field information in the request line, where the method field information includes a plurality of method fields, each method field corresponds to one preset request line keyword library, acquiring a corresponding preset request line keyword library according to the method fields, matching the URL field information and the HTTP protocol version field information with the preset request line keyword libraries, and marking the URL field information or the HTTP protocol version field information that fails to be matched.
Further, when the analysis module matches the request header with a target keyword according to a preset keyword library, the request header includes a plurality of pieces of request header field information, matches the request header field in the request header with the preset request header keyword library, and marks the request header field information that fails to be matched.
Further, when the analysis module determines whether the request text is empty to generate the target request data according to the determination that whether the request text is empty, if the request text is empty, the analysis module obtains the request data corresponding to the URL field information, generates the target request data for the request data corresponding to the URL field information, and if the request text is not empty, generates the target request data from the request data in the request text.
Further, when the determination module performs policy query according to the matching result, analyzing the marked URL field information, the marked HTTP protocol version field information, and the marked request header field information, performing initial policy query when the client type field information in the request header is marked, where a policy query result corresponding to the initial policy query is tentative;
when the initial strategy query is tentative, counting the number W of the marked URL field information, the marked HTTP version field information and the remaining marked field information except the client type field information in the request header, and comparing the number W with a first preset number W1 and a second preset number W2, wherein W1 is less than W2;
if W is larger than W2, the determining module determines that the final strategy query result is forbidden;
if W1 is not less than W and not more than W2, the determining module determines that the final strategy query result is authentication;
and if W is less than W1, the determining module determines that the final strategy query result is a pass.
Further, when the execution module executes the policy according to the policy query result, if the final policy query result is forbidden, the execution module generates 400-499 error status codes and sends the error status codes to the client to forbid the client from accessing the corresponding target server, if the final policy query result is passed, the execution module sends the target request data to the corresponding target server, if the final policy query result is authentication, the execution module generates identity authentication information and sends the identity authentication information to the corresponding client to authenticate the client, and when the identity authentication result is successful, the analysis module analyzes the corresponding access request message to generate the target request data, so that the execution module sends the target request data to the corresponding target server.
The invention provides a privilege control system based on protocol analysis, which further comprises: the processing module is used for acquiring time T1 from the time when the execution module sends the target request data to the target server to the time when the response module receives the request resource sent by the target server, acquiring time T2 from the time when the response module receives the request resource sent by the target server to the time when the response module generates a response message for the request resource and sends the response message to the client, calculating actual response time T, wherein T = T1+ T2, and comparing the actual response time T with preset response time T0;
if T is larger than T0, the processing module judges that the actual response time does not meet the standard;
and if T is less than or equal to T0, the processing module judges that the actual response time meets the standard.
Further, when the processing module determines that the actual response time does not meet the standard, the processing module compares the time T1 and the time T2 with T0/2 respectively, and determines whether the target server and the response module operate normally according to the comparison result;
if T1 is more than or equal to T0/2 and T2 is less than or equal to T0/2, the processing module judges that the target server operates abnormally, and the response module operates normally;
if T1 is less than or equal to T0/2 and T2 is greater than or equal to T0/2, the processing module judges that the target server operates normally, and the response module operates abnormally;
if T1 is larger than T0/2 and T2 is larger than T0/2, the processing module judges that the target server runs abnormally, and the response module runs abnormally.
Further, when the processing module judges whether the target server and the response module operate normally according to the comparison result, if the processing module judges that the target server operates abnormally and the response module operates normally, the processing module marks the target server;
if the target server is judged to operate normally and the response module operates abnormally, the processing module marks the response module;
if the target server is judged to be abnormally operated and the response module is judged to be abnormally operated, the processing module marks the target server and the response module;
if the target server is marked by the processing module, when the client sends an access request to the marked target server next time, the credibility level of the client is confirmed according to the historical access times and the preset access time range of the client to the marked target server within the preset time, and when the credibility level of the client is greater than the preset credibility level, the access request of the client is preferentially sent to the marked target server;
if the response module is marked by the processing module, when the response module generates a response message from the request resource next time, the response module preferentially generates a response message from the request resource of which the credibility level of the client corresponding to the response message is higher than the preset credibility level and preferentially sends the response message to the corresponding client.
The invention also provides an authority control method based on protocol analysis, which comprises the following steps:
receiving an access request message of a client and dividing the access request message into a request line, a request header and a request text;
respectively performing target keyword matching on the method field information, the URL field information, the HTTP protocol version field information and a plurality of request head field information in the request line according to a preset keyword library, marking the method field information, the URL field information, the HTTP protocol version field information or the plurality of request head field information which are failed to be matched, judging whether the request text is empty to acquire the request data in the request text to generate target request data, and generating the target request data according to the URL field information in the request line or the request data in the request head when the request text is empty;
comparing the number of the marked field information with a preset number to determine a policy query result, wherein the policy query result comprises prohibition, pass or authentication;
executing policy execution according to the policy query result, sending the prohibited or authenticated policy query result to the corresponding client to prohibit the client from accessing the corresponding target server or authenticate the client, and sending the passed policy query result to the corresponding target server;
and receiving a request resource constructed by the target server according to the target request data to search for the target request data, and generating a response message from the request resource and sending the response message to the corresponding client for responding.
Compared with the prior art, the method has the advantages that the access request message of the client is received through the receiving module and is divided, then the analysis module performs target keyword matching on the field information in the request line and the request header according to the preset keyword library and marks the field information failed in matching, the request text generates target request data, the determination module further compares the number of the marked field information with the preset number to determine a strategy query result, the access strategy of the client, namely the permission of the target server to the client is analyzed, the execution module performs strategy execution according to the strategy query result to determine whether to release the access request message of the client, the client application is required to be modified through receiving and analyzing before the access request reaches the target server, the content of the access request is only required to be adjusted, and the request line, the request header and the request text in the access request are comprehensively analyzed to determine the corresponding strategy, so that the permission control of the client is more accurate.
Particularly, the analysis module performs target keyword matching on the field information in the request line and the request header according to a preset keyword library, marks field information failed in matching, and generates target request data on the request text, so that the determination module can accurately determine a final strategy query result according to the number of the marked field information and the preset number, the execution module performs strategy execution according to the final strategy query result to determine whether to release the access request message of the client, the request line, the request header and the request text in the access request are comprehensively analyzed to determine a corresponding strategy, and the authority control of the client is more accurate through twice determination.
Particularly, after completing analysis and response of the access request message each time, the processing module obtains the time between the time when the execution module sends the target request data to the target server and the response module receives the request resource sent by the target server and the time between the response module receives the request resource sent by the target server and the time when the response module generates the response message generated by the request resource and sends the response message to the client, compares the actual response time with the preset response time, and judges whether the actual response time meets the standard or not, and whether the access request message of the client is responded within the standard time or not, so as to ensure that the client can be responded rapidly.
Particularly, when the processing module judges that the actual response time does not meet the standard, the time of two stages in response is specifically analyzed to determine which stage has a problem to cause untimely response, the time of the two stages is respectively compared with the average time to judge whether the target server and the response module corresponding to the two stages operate normally or not, and then the abnormal target server or the abnormal response module is marked, and when the marked target server and the response module acquire the access request message and the target request data again, the target server and the response module are processed and responded according to the priority of the client side preferentially, so that the phenomenon that the target server and the response module are busy in processing due to excessive access request message and target request data and the response speed is low due to the reduction of the processing speed is avoided, and the target server and the response module are prevented from operating abnormally by taking measures to ensure that the client side can be responded quickly.
Drawings
Fig. 1 is a schematic structural diagram of an authority control system based on protocol analysis according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a rights control system based on protocol analysis according to another embodiment of the present invention;
fig. 3 is a flowchart illustrating a method for controlling authority based on protocol analysis according to an embodiment of the present invention.
Detailed Description
In order that the objects and advantages of the invention will be more clearly understood, the invention is further described below with reference to examples; it should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Preferred embodiments of the present invention are described below with reference to the accompanying drawings. It should be understood by those skilled in the art that these embodiments are only for explaining the technical principles of the present invention, and do not limit the scope of the present invention.
It should be noted that in the description of the present invention, the terms of direction or positional relationship indicated by the terms "upper", "lower", "left", "right", "inner", "outer", etc. are based on the directions or positional relationships shown in the drawings, which are only for convenience of description, and do not indicate or imply that the device or element must have a specific orientation, be constructed in a specific orientation, and be operated, and thus, should not be construed as limiting the present invention.
Furthermore, it should be noted that, in the description of the present invention, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.
Referring to fig. 1, an authority control system based on protocol analysis according to an embodiment of the present invention includes:
the receiving module 110 is configured to receive an access request message of a client and divide the access request message into a request line, a request header and a request text;
an analysis module 120, connected to the receiving module, for performing target keyword matching on the method field information, the URL field information, the HTTP protocol version field information, and the plurality of request header field information in the request line according to a preset keyword library, and marking the method field information, the URL field information, the HTTP protocol version field information, or the plurality of request header field information that failed in matching, determining whether the request text is empty to obtain the request data in the request text to generate target request data, and generating the target request data according to the URL field information or the request data in the request header in the request line when the request text is empty;
a determining module 130, connected to the analyzing module, for comparing the number of the marked field information with a preset number to determine a policy query result, where the policy query result includes prohibition, pass or authentication;
the execution module 140 is connected to the determination module, and is configured to perform policy execution according to the policy query result, send the prohibited or authenticated policy query result to the corresponding client to prohibit the client from accessing the corresponding target server or authenticate the client, and send the passed policy query result to the corresponding target server;
a response module 150, connected to the execution module, for receiving a request resource constructed by the target server performing target request data search according to the target request data, and generating a response message for the request resource and sending the response message to the corresponding client for response.
Specifically, the authority control system based on protocol analysis provided in the embodiment of the present invention is disposed between a client and a server, and receives a client access request through an http gateway, the receiving module and the analyzing module divide and analyze the access request, the determining module determines the authority of the client, that is, the policy for the client, according to the analysis result, the executing module executes a corresponding policy query result, establishes a connection to a target server when the policy query result is passed, and sends analyzed target request data to the target server, and the target server responds the constructed request resource to the client through the response module; the response message comprises a response state line, a response head and a response text.
Specifically, the embodiment of the invention receives an access request message of a client through a receiving module and divides the access request message, then an analysis module performs target keyword matching on field information in a request line and a request header according to a preset keyword library and marks field information failed in matching, a request text generates target request data, a determination module compares the number of the marked field information with the preset number to determine a policy query result, analyzes an access policy of the client, namely the permission of the target server to the client, an execution module performs policy execution according to the policy query result to determine whether to release the access request message of the client, receives and analyzes the access request before reaching the target server, only needs to change the content of the access request of the client, and comprehensively analyzes the request line, the request header and the request text in the access request to determine a corresponding policy, so that the permission control of the client is more accurate.
Specifically, when the analysis module matches a target keyword of the request line according to a preset keyword library, the analysis module identifies method field information, URL field information and HTTP protocol version field information in the request line, wherein the method field information comprises a plurality of method fields, each method field corresponds to one preset request line keyword library, the corresponding preset request line keyword library is obtained according to the method fields, the URL field information and the HTTP protocol version field information are matched with the preset request line keyword library respectively, and the URL field information or the HTTP protocol version field information which fails to be matched is marked.
Specifically, the method fields include GET, POST, had, PUT, DELETE, OPTIONS, TRACE, and CONNECT, the HTTP protocol version fields include HTTP1.0, HTTP1.1, and HTTP2.0, and the like, and each HTTP protocol version corresponds to a different method field.
Specifically, when the analysis module performs target keyword matching on the request header according to a preset keyword library, the request header comprises a plurality of pieces of request header field information, the request header field in the request header is matched with the preset request header keyword library, and the request header field information which fails in matching is marked.
Specifically, the preset request header keyword library includes a client type user-agent, a cookie, a referrer, a host, and the like.
Specifically, when the analysis module determines whether the request text is empty to generate the target request data, the analysis module determines whether the request text is empty, if the request text is empty, the analysis module obtains the request data corresponding to the URL field information, generates the target request data for the request data corresponding to the URL field information, and if the request text is not empty, generates the target request data for the request data in the request text.
Specifically, according to the embodiment of the invention, the analysis module performs target keyword matching on the field information in the request line and the request header according to the preset keyword library, marks the field information failed in matching, and generates the target request data on the request text, so that the determination module can accurately determine the strategy query result according to the comparison between the number of the marked field information and the preset number, the execution module can perform strategy execution according to the strategy query result to determine whether to release the access request message of the client, and the authority of the client can be more accurately controlled by comprehensively analyzing the request line, the request header and the request text in the access request and determining the corresponding strategy.
Specifically, when policy query is performed according to a matching result, the determination module analyzes the marked URL field information, the marked HTTP protocol version field information, and the marked request header field information, performs initial policy query when the client type field information in the request header is marked, and determines that a policy query result corresponding to the initial policy query is tentative;
when the initial policy query is tentative, counting the number W of the marked URL field information, the marked HTTP protocol version field information and the remaining marked field information except the client type field information in the request header, and comparing the number W with a first preset number W1 and a second preset number W2, wherein W1 is less than W2;
if W is larger than W2, the determining module determines that the final strategy inquiry result is forbidden;
if W1 is not less than W and not more than W2, the determining module determines that the final strategy query result is authentication;
and if W is less than W1, the determining module determines that the final strategy query result is a pass.
Specifically, the embodiment of the invention firstly carries out primary policy query by a determining module according to the condition that the field information of the client type in the request header is marked, then compares the quantity of the remaining marked field information with the preset quantity to determine a policy query result, analyzes the access policy of the client, namely the authority of a target server to the client, further enables an executing module to carry out policy execution according to the final policy query result to determine whether to release the access request message of the client, further ensures the safety of the target server according to the authority control of the client, comprehensively analyzes the request line, the request header and the request text in the access request to determine the corresponding policy, and enables the authority control of the client to be more accurate through two determinations.
Specifically, when the execution module executes a policy according to the policy query result, if the final policy query result is prohibited, the execution module generates 400-499 error status codes and sends the error status codes to the client to prohibit the client from accessing the corresponding target server, if the final policy query result is passed, the execution module sends the target request data to the corresponding target server, if the final policy query result is authenticated, the execution module generates identity authentication information and sends the identity authentication information to the corresponding client to authenticate the client, and when the identity authentication result is successful, the analysis module analyzes the corresponding access request message to generate the target request data, so that the execution module sends the target request data to the corresponding target server.
Specifically, if the final policy query result is forbidden, the client may change the specific content in the access request message to resend the access request message, the execution module generates identity authentication information and sends the identity authentication information to the client, the client performs identity authentication according to the identity authentication information, and after the identity authentication is passed, the execution module sends the corresponding target request data to the corresponding target server.
Referring to fig. 2, the authority control system based on protocol analysis according to the embodiment of the present invention further includes a processing module 160, configured to obtain a time T1 from when the executing module sends the target request data to the target server to when the response module receives the request resource sent by the target server, obtain a time T2 from when the response module receives the request resource sent by the target server to when the response module sends a request resource generation response message to the client, and calculate an actual response time T, where T = T1+ T2, and compare the actual response time T with a preset response time T0;
if T is larger than T0, the processing module judges that the actual response time does not meet the standard;
and if T is less than or equal to T0, the processing module judges that the actual response time meets the standard.
Specifically, in the embodiment of the present invention, after each time of completing analysis and response on an access request packet, the processing module obtains a time between when the execution module sends the target request data to the target server and when the response module receives a request resource sent by the target server and when the response module generates a response packet from the request resource and sends the response packet to the client, compares an actual response time with a preset response time, and determines whether the actual response time meets a standard, or not, whether a response is performed on the access request packet of the client within a standard time, so as to ensure that a response can be performed on the client quickly.
Specifically, when the processing module determines that the actual response time does not meet the standard, the processing module compares time T1 and time T2 with T0/2 respectively, and determines whether the target server and the response module operate normally according to the comparison result;
if T1 is more than or equal to T0/2 and T2 is less than or equal to T0/2, the processing module judges that the target server operates abnormally, and the response module operates normally;
if T1 is less than or equal to T0/2 and T2 is greater than or equal to T0/2, the processing module judges that the target server operates normally, and the response module operates abnormally;
if T1 is greater than T0/2 and T2 is greater than T0/2, the processing module judges that the target server runs abnormally, and the response module runs abnormally.
Specifically, in the embodiment of the present invention, when the processing module determines that the actual response time does not meet the standard, the processing module specifically analyzes the time of the two stages in response to determine which stage has a problem and causes a response to be untimely, compares the time of the two stages with the average time, and determines whether the target server and the response module corresponding to the two stages operate normally, so as to take measures to avoid the abnormal operation of the target server and the response module, thereby ensuring that the client can respond quickly.
Specifically, when the processing module determines whether the target server and the response module operate normally according to the comparison result, if the processing module determines that the target server operates abnormally and the response module operates normally, the processing module marks the target server;
if the target server is judged to operate normally and the response module operates abnormally, the processing module marks the response module;
if the target server is judged to be abnormal in operation and the response module is judged to be abnormal in operation, the processing module marks the target server and the response module;
if the target server is marked by the processing module, when the client sends an access request to the marked target server next time, the credibility level of the client is confirmed according to the historical access times and the preset access time range of the client to the marked target server within the preset time, and when the credibility level of the client is greater than the preset credibility level, the access request of the client is preferentially sent to the marked target server;
if the response module is marked by the processing module, the response module generates a response message from the request resource next time, and the response module preferentially generates a response message from the request resource of which the credibility level of the client corresponding to the response message is higher than the preset credibility level and preferentially sends the response message to the corresponding client.
Specifically, in the embodiment of the present invention, when the processing module determines that the actual response time does not meet the standard, the processing module specifically analyzes the time of the two phases in response, determines which phase has a problem and causes a response to be untimely, compares the time of the two phases with the average time, and determines whether the target server and the response module corresponding to the two phases operate normally, and further marks the abnormal target server or response module, and when the marked target server and response module acquire the access request packet and the target request data again, the target server and response module are processed and responded according to the priority of the client, so as to avoid that the target server and response module are busy due to excessive access request packet and target request data, and the processing speed is reduced and the response speed is slow, and measures are taken to avoid the abnormal operation of the target server and response module, thereby ensuring that the client can respond quickly.
Referring to fig. 3, a method for controlling authority based on protocol analysis according to an embodiment of the present invention includes:
step S210, receiving an access request message of a client and dividing the access request message into a request line, a request header and a request text;
step S220, respectively performing target keyword matching on the method field information, the URL field information, the HTTP protocol version field information and a plurality of request head field information in the request line according to a preset keyword library, marking the method field information, the URL field information, the HTTP protocol version field information or the plurality of request head field information which are failed to be matched, judging whether the request text is empty to acquire the request data in the request text to generate target request data, and generating the target request data according to the URL field information or the request data in the request head when the request text is empty;
step S230, comparing the number of the marked field information with a preset number to determine a strategy inquiry result, wherein the strategy inquiry result comprises prohibition, passing or authentication;
step S240, executing the strategy according to the strategy inquiry result, sending the prohibited or authenticated strategy inquiry result to the corresponding client to prohibit the client from accessing the corresponding target server or authenticate the client, and sending the passed strategy inquiry result to the corresponding target server;
step S250, receiving a request resource constructed by the target server performing target request data search according to the target request data, and sending a response message generated by the request resource to the corresponding client for response.
Specifically, the access request message of the client is received and divided, then the request line and the field information in the request header are subjected to target keyword matching according to a preset keyword library, the field information which fails in matching is marked, the request text is generated into target request data, the number of the marked field information is compared with the preset number to determine a strategy query result, the access strategy of the client, namely the permission of the target server to the client is analyzed, then the strategy execution is performed according to the strategy query result to determine whether the access request message of the client is released, the client application needs to be changed by receiving and analyzing the access request before the access request reaches the target server, only the content of the access request needs to be adjusted, and the request line, the request header and the request text in the access request are comprehensively analyzed to determine the corresponding strategy, so that the permission control of the client is more accurate.
So far, the technical solutions of the present invention have been described in connection with the preferred embodiments shown in the drawings, but it is apparent to those skilled in the art that the scope of the present invention is not limited to these specific embodiments. Equivalent changes or substitutions of related technical features can be made by those skilled in the art without departing from the principle of the invention, and the technical scheme after the changes or substitutions can fall into the protection scope of the invention.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention; various modifications and alterations to this invention will become apparent to those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (9)

1. An entitlement control system based on protocol analysis, comprising:
the receiving module is used for receiving an access request message of a client and dividing the access request message into a request line, a request head and a request text;
the analysis module is connected with the receiving module and is used for respectively carrying out target keyword matching on the method field information, the URL field information, the HTTP protocol version field information and a plurality of request head field information in the request line according to a preset keyword library, marking the method field information, the URL field information, the HTTP protocol version field information or the plurality of request head field information which are failed in matching, judging whether the request text is empty to obtain the request data in the request text to generate target request data, and generating the target request data according to the URL field information or the request data in the request head when the request text is empty;
the determining module is connected with the analyzing module and used for comparing the number of the marked field information with a preset number so as to determine a strategy inquiry result, and the strategy inquiry result comprises prohibition, pass or authentication;
the execution module is connected with the determination module and used for executing the strategy according to the strategy inquiry result, sending the forbidden or authenticated strategy inquiry result to the corresponding client so as to forbid the client to access the corresponding target server or authenticate the client, and sending the passed strategy inquiry result to the corresponding target server;
the response module is connected with the execution module and used for receiving a request resource constructed by the target server for searching target request data according to the target request data, generating a response message from the request resource and sending the response message to the corresponding client for responding;
when the determining module carries out strategy query according to a matching result, the marked URL field information, the marked HTTP protocol version field information and the marked request header field information are analyzed, initial strategy query is carried out when the client type field information in the request header is marked, and the strategy query result corresponding to the initial strategy query is tentative;
when the initial policy query is tentative, counting the number W of the marked URL field information, the marked HTTP protocol version field information and the remaining marked field information except the client type field information in the request header, and comparing the number W with a first preset number W1 and a second preset number W2, wherein W1 is less than W2;
if W is larger than W2, the determining module determines that the final strategy inquiry result is forbidden;
if W1 is not less than W and not more than W2, the determining module determines that the final strategy query result is authentication;
and if W is less than W1, the determining module determines that the final strategy query result is a pass.
2. The system of claim 1, wherein the analysis module identifies method field information, URL field information, and HTTP protocol version field information in the request line when matching a target keyword of the request line according to a preset keyword library, the method field information including a plurality of method fields, each method field corresponding to a preset request line keyword library, obtains the corresponding preset request line keyword library according to the method fields, matches the URL field information and the HTTP protocol version field information with the preset request line keyword library, respectively, and tags URL field information or HTTP protocol version field information that failed in matching.
3. The system according to claim 2, wherein when the analysis module performs target keyword matching on the request header according to a preset keyword library, the request header includes a plurality of pieces of request header field information, matches the request header field in the request header with the preset request header keyword library, and marks the request header field information that fails to be matched.
4. The system of claim 3, wherein the analysis module determines whether the request body is empty when generating the target request data according to whether the request body is empty, acquires the request data corresponding to the URL field information if the request body is empty, generates the target request data for the request data corresponding to the URL field information, and generates the target request data for the request data in the request body if the request body is not empty.
5. The system of claim 4, wherein when the enforcement module performs policy enforcement according to the policy query result, if the final policy query result is "no", the enforcement module generates 400-499 error status codes and sends the error status codes to the client to prohibit the client from accessing the corresponding target server, if the final policy query result is "no", the enforcement module sends the target request data to the corresponding target server, if the final policy query result is "no", the enforcement module generates identity authentication information and sends the identity authentication information to the corresponding client to authenticate the client, and if the identity authentication result is "no", the analysis module analyzes the corresponding access request packet to generate the target request data, so that the enforcement module sends the target request data to the corresponding target server.
6. The system according to claim 5, further comprising a processing module, configured to obtain a time T1 from the time when the execution module sends the target request data to the target server to the time when the response module receives the request resource sent by the target server, obtain a time T2 from the time when the response module receives the request resource sent by the target server to the time when the response module sends the request resource generation response message to the client, and calculate an actual response time T, T = T1+ T2, and compare the actual response time T with a preset response time T0;
if T is larger than T0, the processing module judges that the actual response time does not meet the standard;
and if T is less than or equal to T0, the processing module judges that the actual response time meets the standard.
7. The system of claim 6, wherein when the processing module determines that the actual response time does not meet the standard, the processing module compares the time T1 and the time T2 with T0/2, respectively, and determines whether the target server and the response module operate normally according to the comparison result;
if T1 is more than or equal to T0/2 and T2 is less than or equal to T0/2, the processing module judges that the target server operates abnormally, and the response module operates normally;
if T1 is not more than T0/2 and T2 is not less than T0/2, the processing module judges that the target server operates normally, and the response module operates abnormally;
if T1 is larger than T0/2 and T2 is larger than T0/2, the processing module judges that the target server runs abnormally, and the response module runs abnormally.
8. The privilege control system according to claim 7, wherein when the processing module determines whether the target server and the response module operate normally according to the comparison result, if the processing module determines that the target server operates abnormally and the response module operates normally, the processing module marks the target server;
if the target server is judged to operate normally and the response module operates abnormally, the processing module marks the response module;
if the target server is judged to be abnormal in operation and the response module is judged to be abnormal in operation, the processing module marks the target server and the response module;
if the target server is marked by the processing module, the client confirms the credibility level of the client according to the historical access times and the preset access time range of the client to the marked target server in the preset time when the client sends an access request to the marked target server next time, and when the credibility level of the client is greater than the preset credibility level, the access request of the client is preferentially sent to the marked target server;
if the response module is marked by the processing module, the response module generates a response message from the request resource next time, and the response module preferentially generates a response message from the request resource of which the credibility level of the client corresponding to the response message is higher than the preset credibility level and preferentially sends the response message to the corresponding client.
9. A method for controlling authority based on protocol analysis, which applies the authority control system based on protocol analysis according to any one of claims 1 to 8, comprising:
receiving an access request message of a client and dividing the access request message into a request line, a request header and a request text;
respectively carrying out target keyword matching on the method field information, URL field information, HTTP protocol version field information and a plurality of request head field information in the request line according to a preset keyword library, marking the method field information, URL field information, HTTP protocol version field information or a plurality of request head field information which are failed to be matched, judging whether the request text is empty to obtain the request data in the request text to generate target request data, and generating the target request data according to the URL field information in the request line or the request data in the request head when the request text is empty;
comparing the number of the marked field information with a preset number to determine a policy query result, wherein the policy query result comprises prohibition, pass or authentication;
executing policy execution according to the policy query result, sending the prohibited or authenticated policy query result to the corresponding client to prohibit the client from accessing the corresponding target server or authenticate the client, and sending the passed policy query result to the corresponding target server;
receiving a request resource constructed by the target server according to the target request data to search for the target request data, and generating a response message from the request resource and sending the response message to the corresponding client for responding;
when strategy query is carried out according to a matching result, analyzing the marked URL field information, the marked HTTP version field information and the marked request header field information, carrying out initial strategy query when the client type field information in the request header is marked, wherein the strategy query result corresponding to the initial strategy query is tentative;
when the initial strategy query is tentative, counting the number W of the marked URL field information, the marked HTTP version field information and the remaining marked field information except the client type field information in the request header, and comparing the number W with a first preset number W1 and a second preset number W2, wherein W1 is less than W2;
if W is larger than W2, determining that the final strategy query result is forbidden;
if W1 is not less than W and not more than W2, determining that the final strategy query result is authentication;
and if W is less than W1, determining that the final strategy query result is a pass.
CN202211536906.6A 2022-12-02 2022-12-02 Authority control system and method based on protocol analysis Active CN115622803B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211536906.6A CN115622803B (en) 2022-12-02 2022-12-02 Authority control system and method based on protocol analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211536906.6A CN115622803B (en) 2022-12-02 2022-12-02 Authority control system and method based on protocol analysis

Publications (2)

Publication Number Publication Date
CN115622803A CN115622803A (en) 2023-01-17
CN115622803B true CN115622803B (en) 2023-04-14

Family

ID=84879591

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211536906.6A Active CN115622803B (en) 2022-12-02 2022-12-02 Authority control system and method based on protocol analysis

Country Status (1)

Country Link
CN (1) CN115622803B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116150194B (en) * 2023-04-21 2023-07-14 北京飞轮数据科技有限公司 Data acquisition method, device, electronic equipment and computer readable medium
CN117436053B (en) * 2023-12-20 2024-02-23 永鼎行远(南京)信息科技有限公司 Data service bus system and data authentication transmission method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111177672A (en) * 2019-12-20 2020-05-19 北京淇瑀信息科技有限公司 Page access control method and device and electronic equipment
CN112165445A (en) * 2020-08-13 2021-01-01 杭州数梦工场科技有限公司 Method, device, storage medium and computer equipment for detecting network attack
CN114124476A (en) * 2021-11-05 2022-03-01 苏州浪潮智能科技有限公司 Sensitive information leakage vulnerability detection method, system and device for Web application
CN114157504A (en) * 2021-12-08 2022-03-08 焦点科技股份有限公司 Safety protection method based on Servlet interceptor
WO2022226202A1 (en) * 2021-04-23 2022-10-27 Netskope, Inc. Synthetic request injection to retrieve object metadata for cloud policy enforcement

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111177672A (en) * 2019-12-20 2020-05-19 北京淇瑀信息科技有限公司 Page access control method and device and electronic equipment
CN112165445A (en) * 2020-08-13 2021-01-01 杭州数梦工场科技有限公司 Method, device, storage medium and computer equipment for detecting network attack
WO2022226202A1 (en) * 2021-04-23 2022-10-27 Netskope, Inc. Synthetic request injection to retrieve object metadata for cloud policy enforcement
CN114124476A (en) * 2021-11-05 2022-03-01 苏州浪潮智能科技有限公司 Sensitive information leakage vulnerability detection method, system and device for Web application
CN114157504A (en) * 2021-12-08 2022-03-08 焦点科技股份有限公司 Safety protection method based on Servlet interceptor

Also Published As

Publication number Publication date
CN115622803A (en) 2023-01-17

Similar Documents

Publication Publication Date Title
CN115622803B (en) Authority control system and method based on protocol analysis
US11347879B2 (en) Determining the relative risk for using an originating IP address as an identifying factor
US20110314549A1 (en) Method and apparatus for periodic context-aware authentication
US11212310B2 (en) System for reducing application programming interface (API) risk and latency
US10965680B2 (en) Authority management method and device in distributed environment, and server
CN114154995B (en) Abnormal payment data analysis method and system applied to big data wind control
CN115701019A (en) Access request processing method and device of zero trust network and electronic equipment
CN111953665A (en) Server attack access identification method and system, computer equipment and storage medium
US7523488B2 (en) Method for performing data access transformation with request authorization processing
CN115913676B (en) Access control method and device for cloud native application, electronic equipment and storage medium
CN114363373B (en) Application communication management system, method, device, electronic equipment and storage medium
CN113472831B (en) Service access method, device, gateway equipment and storage medium
US20080022004A1 (en) Method And System For Providing Resources By Using Virtual Path
CN108768987B (en) Data interaction method, device and system
CN112905984A (en) Authority control method and device and electronic equipment
CN117353989B (en) Access admission identity authentication system based on security trust evaluation
KR101809671B1 (en) Apparatus and method for detecting anomaly authentication
WO2019159809A1 (en) Access analysis system and access analysis method
CN114338060A (en) Authority verification method, device, system, equipment and storage medium
CN117768150B (en) Service system access method and service system access platform based on identity authentication
CN117082147B (en) Application network access control method, system, device and medium
CN117938962B (en) Network request scheduling method, device, equipment and medium for CDN
CN113297629B (en) Authentication method, device, system, electronic equipment and storage medium
CN112929321B (en) Authentication method, device and terminal equipment
US20210409404A1 (en) Attestation forwarding

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant